search

netconf-wg / keystore

repo for draft-ieft-netconf-keystore
2 stars 1 forks source link

How to encode certificate chains #1

Closed kwatsen closed 6 years ago

kwatsen commented 7 years ago

This issue is related to https://github.com/netconf-wg/zero-touch/issues/16.

      +--rw private-key* [name]
          +--rw name                                    string
          +--ro algorithm?                              identityref
          +--ro key-length?                             uint32
          +--ro public-key                              binary
          +--rw certificate-chains
          |  +--rw certificate-chain* [name]
          |     +--rw name           string
          |     +--rw certificate*   binary

This is clunky and should be replaced.

  1. use a PEM file (string) that can encode multiple certificate
  2. use a PKCS#12 structure from RFC 7292 to encode a bundle of certs?

Note: Openssl can translate between these two options easily enough.

Assuming option #2, we might have:

      +--rw private-key* [name]
          +--rw name                                    string
          +--ro algorithm?                              identityref
          +--ro key-length?                             uint32
          +--ro public-key                              binary
          +--rw certificates
          |  +--rw certificate* [name]
          |     +--rw name           string
          |     +--rw data             binary    // a pkcs#12 encoding a chain of certs
kwatsen commented 7 years ago

No responses so far. To keep the ball rolling, I’ll assume just supporting pkcs#7 is okay if no objections are raised by this Friday.

Thanks, Kent